Original report to security@:
Hello, I am contacting you in reference of a security vulnerability found in the MediaWiki Parsoid service.
In particular, the Parsoid web service page is vulnerable to reflected Cross Site scripting, via the following URL: <host>:<ParsoidPort>/<img src=x onerror"javascript:alert('XSS')">
Please see screenshot attached below:
I am building a technical advisory to be published, with a CVE reservation number, to provide to the security community.
Waiting to hear from your company,
MediaWiki version: 1.27.0
I hope you find this useful. Please don't hesitate to contact me for further research or additional information in regards of this.
TODOs to address this:
- Create a patch fixing exploit -- @Arlolra
- Darian reviews patch -- @dpatrick
- Deploy patch to Wikimedia cluster -- @Arlolra
- Prepare v0.5.3 debian package -- @ssastry (yet to be uploaded)
- Prepare v0.5.3 npm library -- @Arlolra
- Prepare gerrit patch for merge -- @Arlolra
- Prepare security fix announcement -- @ssastry
- Upload v0.5.3 debian package -- @ssastry, @Dzahn and ops
- Release npm library -- @Arlolra
- Upload and merge gerrit patch -- @Arlolra, @ssastry
- Update Parsoid deployment log with info about Parsoid deploy on 10/31 -- @Arlolra
- Send announcement to wikitech-l, mediawiki-announce -- @ssastry